Revision 6816
Added by ben leinfelder almost 13 years ago
| src/edu/ucsb/nceas/metacat/dataone/D1NodeService.java | ||
|---|---|---|
| 617 | 617 |
|
| 618 | 618 |
boolean allowed = false; |
| 619 | 619 |
|
| 620 |
// permissions are hierarchical |
|
| 621 |
List<Permission> expandedPermissions = expandPermissions(permission); |
|
| 622 |
|
|
| 623 |
// for the "Verified" symbolic user |
|
| 624 |
Subject verifiedSubject = new Subject(); |
|
| 625 |
verifiedSubject.setValue(Constants.SUBJECT_VERIFIED_USER); |
|
| 626 |
|
|
| 620 | 627 |
// get the subjects from the session |
| 621 | 628 |
List<Subject> subjects = new ArrayList<Subject>(); |
| 622 | 629 |
if (session != null) {
|
| ... | ... | |
| 626 | 633 |
} |
| 627 | 634 |
SubjectInfo subjectInfo = session.getSubjectInfo(); |
| 628 | 635 |
if (subjectInfo != null) {
|
| 636 |
// add the equivalent identities |
|
| 629 | 637 |
List<Person> personList = subjectInfo.getPersonList(); |
| 630 | 638 |
if (personList != null) {
|
| 631 | 639 |
for (Person p: personList) {
|
| 632 | 640 |
subjects.add(p.getSubject()); |
| 633 | 641 |
if (p.getVerified()) {
|
| 634 | 642 |
// add the verified symbolic user |
| 635 |
Subject verifiedSubject = new Subject(); |
|
| 636 |
verifiedSubject.setValue(Constants.SUBJECT_VERIFIED_USER); |
|
| 637 | 643 |
if (!subjects.contains(verifiedSubject)) {
|
| 638 | 644 |
subjects.add(verifiedSubject); |
| 639 | 645 |
} |
| 640 | 646 |
} |
| 641 | 647 |
} |
| 642 | 648 |
} |
| 649 |
// add the groups |
|
| 643 | 650 |
List<Group> groupList = subjectInfo.getGroupList(); |
| 644 | 651 |
if (groupList != null) {
|
| 645 | 652 |
for (Group g: groupList) {
|
| ... | ... | |
| 697 | 704 |
search: // label break |
| 698 | 705 |
for (AccessRule accessRule: allows) {
|
| 699 | 706 |
for (Subject s: subjects) {
|
| 700 |
//if (accessRule.getSubjectList().contains(s)) {
|
|
| 701 |
for (Subject ruleSubject: accessRule.getSubjectList()) {
|
|
| 702 |
if (ruleSubject.equals(s)) {
|
|
| 703 |
allowed = accessRule.getPermissionList().contains(permission); |
|
| 707 |
if (accessRule.getSubjectList().contains(s)) {
|
|
| 708 |
for (Permission p: expandedPermissions) {
|
|
| 709 |
allowed = accessRule.getPermissionList().contains(p); |
|
| 704 | 710 |
if (allowed) {
|
| 705 | 711 |
break search; //label break |
| 706 | 712 |
} |
| 707 |
} |
|
| 713 |
} |
|
| 714 |
|
|
| 708 | 715 |
} |
| 709 | 716 |
} |
| 710 | 717 |
} |
| ... | ... | |
| 1039 | 1046 |
} |
| 1040 | 1047 |
|
| 1041 | 1048 |
} |
| 1049 |
|
|
| 1050 |
/** |
|
| 1051 |
* Given a Permission, returns a list of all permissions that it encompasses |
|
| 1052 |
* Permissions are hierarchical so that WRITE also allows READ. |
|
| 1053 |
* @param permission |
|
| 1054 |
* @return list of included Permissions for the given permission |
|
| 1055 |
*/ |
|
| 1056 |
protected List<Permission> expandPermissions(Permission permission) {
|
|
| 1057 |
List<Permission> expandedPermissions = new ArrayList<Permission>(); |
|
| 1058 |
if (permission.equals(Permission.READ)) {
|
|
| 1059 |
expandedPermissions.add(Permission.READ); |
|
| 1060 |
} |
|
| 1061 |
if (permission.equals(Permission.WRITE)) {
|
|
| 1062 |
expandedPermissions.add(Permission.READ); |
|
| 1063 |
expandedPermissions.add(Permission.WRITE); |
|
| 1064 |
} |
|
| 1065 |
if (permission.equals(Permission.CHANGE_PERMISSION)) {
|
|
| 1066 |
expandedPermissions.add(Permission.READ); |
|
| 1067 |
expandedPermissions.add(Permission.WRITE); |
|
| 1068 |
expandedPermissions.add(Permission.CHANGE_PERMISSION); |
|
| 1069 |
} |
|
| 1070 |
return expandedPermissions; |
|
| 1071 |
} |
|
| 1042 | 1072 |
|
| 1043 | 1073 |
/* |
| 1044 | 1074 |
* Write a stream to a file |
Also available in: Unified diff
interpret permissions as hierarchical
https://redmine.dataone.org/issues/2150